An Anomaly-based Web Application Firewall

A simple and effective web application firewall is presented. This system can detect both known and unknown web attacks following a positive security model. For attack detection, the system relies on an XML file, which thoroughly describes normal web application behavior. Any irregular behavior is flagged as intrusive. An initial training phase is required to statistically characterize how normal traffic for a given target application looks like. The system has been tested with a real web application as target and an artificial request generator as input. Experiments show that after the training phase, when the XML file is correctly configured, good results are obtained, with a very high detection rate and a very low false alarm rate.